Protect against malicious DNS replies with very large RRsets.

2025-12-19 10:18:25 +00:00 · 2014-02-06 12:01:05 +00:00
parent 12fae49fff
commit bb201c211a
1 changed files with 5 additions and 0 deletions
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -531,6 +531,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
 		{
 		  unsigned char **new;

+		  /* Protect against insane/maliciuos queries which bloat the workspace
+		     and eat CPU in the sort */
+		  if (rrsetidx >= 100)
+		    return STAT_INSECURE; 
+
 		  /* expand */
 		  if (!(new = whine_malloc((rrset_sz + 5) * sizeof(unsigned char **))))
 		    return STAT_INSECURE;